Results 1 to 8 of 8

Thread: [SOLVED] Has my server been compromised?

  1. #1
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    6

    Default [SOLVED] Has my server been compromised?

    I had a HUGE surge of outgoing spam messages being sent from my server, found 1500 deferred messages that were sent within the past hour to tons of random yahoo/hotmail accounts. I quickly started checking logs, and in the audits.log file I found an account that was logging in thousands of times, it was a general email account that nobody uses. I quickly changed the password and the emails stopped. What worries me is that the IP Address that it was logging from is the external IP for my mail server. The log looks like this

    Code:
    2010-04-29 15:11:44,176 INFO  [btpool0-305] [ip=external ip removed;] security - cmd=Auth; account=<general address removed>; protocol=soap;
    So...since they were coming from my server IP, has my server been compromised? How can I find out what has happened? It seems I've been fighting spam going from my server for a while now, but every time I think I have it locked down, this happens again. This was the first time I actually found an account tied to the spam though...any help is greatly appreciated! Thanks :-)

    Edit:

    Who/whatever did this is still trying to login repeatedly, but is getting the "invalid password" error logged to the audit.log file.

  2. #2
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    53
    Rep Power
    7

    Default

    Yes, somehow they had guessed an account password.

    Sounds like you have it under control now.

  3. #3
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    6

    Default

    Should I worry that the login IP was coming from my own server?

  4. #4
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    53
    Rep Power
    7

    Default

    I am "assuming" the spammer was using port 80 to log in and generate the SPAM and that is why you are seeing the IP address of your actual mail server and not the IP address of the spammer.

    If you have kept your server updated and you have a local firewall running (iptables or similar), I'd think that your server is fine.

  5. #5
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    6

    Default

    Great. Thanks for your help!

  6. #6
    Join Date
    Aug 2007
    Posts
    42
    Rep Power
    8

    Default

    Have you applied this? I do not know if your version is affected first search the forum to make sure

    http://www.zimbra.com/forums/announc...ity-issue.html
    Last edited by owl700; 04-29-2010 at 02:59 PM.

  7. #7
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by owl700 View Post
    Have you applied this? I do not know if your version is affected first search the forum to make sure

    http://www.zimbra.com/forums/announc...ity-issue.html
    This is a pretty old security issue, back in the 4.x series. The user's profile says he's using 5.0.9, which is WAY beyond when this was patched, so it should not be an issue.
    Cheers,

    Dan

  8. #8
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    We had a similar error (http://www.zimbra.com/forums/adminis...tml#post168578), but my log showed the IP of the hacker:

    Code:
    2010-01-19 00:12:17,989 INFO [btpool0-22965://localhost/service/soap/AuthRequest] [name=account@ourdomain.com;oip=173.162.144.38;ua=zclient/6.0.4_GA_2038.RHEL5_64;] security - cmd=Auth; account=account@ourdomain.com; protocol=soap;
    Changing the password fixed the problem for us as well:

    Code:
    2010-01-19 14:23:51,075 WARN [btpool0-23545://localhost/service/soap/AuthRequest] [name=account@ourdomain.com;oip=64.251.25.150;ua=zclient/6.0.4_GA_2038.RHEL5_64;] security - cmd=Auth; account=account@ourdomain.com; protocol=soap; error=authentication failed for account@ourdomain.com, account(or domain) status is closed;

Similar Threads

  1. How to: cold standby server (no cluster)
    By fisch09 in forum Installation
    Replies: 50
    Last Post: 02-18-2014, 10:51 AM
  2. Keeping a backup server synced with live server
    By Q-Mike in forum Administrators
    Replies: 5
    Last Post: 04-11-2008, 02:40 PM
  3. [SOLVED] Server migration/move for OS steps I used
    By newmember in forum Migration
    Replies: 0
    Last Post: 09-06-2007, 11:57 PM
  4. Replies: 1
    Last Post: 09-17-2006, 12:02 AM
  5. Replies: 18
    Last Post: 03-20-2006, 02:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •